Mozilla Issues Final Warning to CAs Over Subordinate Certificates

Earlier this month, Trustwave had a change of heart and reversed a decision to issue subordinate certificates that allowed a private company the ability to impersonate virtually any domain on the Web. Those actions have led Mozilla to clarify its stance on the issue, and offer one final warning to any company seeking to offer the same business services that Trustwave walked away from.

The big question in the aftermath of the Trustwave incident centered on the other CAs, leaving many to ponder who else was issuing subordinate root certificates. Mozilla wants to know that as well, in addition to the demands that the practice stop.

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe, up to and including the removal of root certificates that mis-issue, as well as any roots that cross-sign them,” commented Johnathan Nightingale, Mozilla’s senior director of Firefox engineering in a company blog post.

On Friday, Mozilla sent CAs a list of items that they are to take action on immediately. They have until March 2 to respond to Mozilla with the status of the request. While the list of items and the letter in which they are presented is cordial enough, the intent is clear – make sure this is done or risk your status within Firefox.

The key item is that CAs must confirm that they are not issuing subordinate certificates which can be used for Man-In-The-Middle sessions or traffic management, “regardless of whether it is in a closed and controlled environment or not.”

CAs are to audit certificates they have issued and ensure that those being used in such a fashion are revoked.

“As a CA in Mozilla’s root program you are ultimately responsible for certificates issued by you and any intermediate CAs that chain up to your roots. After April 27, 2012, if it is found that a subordinate CA is being used for MITM, we will take action to mitigate, including and up to removing the corresponding root certificate. Based on Mozilla’s assessment, we may also remove any of your other root certificates, and root certificates from other organizations that cross-sign your certificates,” the letter states.

In addition to the subordinate certificates, CAs are to audit their EVSSL deployments, and revoke any that do not meet the necessary requirements, such as maximum validity period of the certificate, subject naming, minimum key sizes, required extensions, and maximum expiration time of OCSP responses.

Mozilla said they plan to publish the CAs responses, but did not mention a timeframe.